Apache Pre VirtualHost Include and SSL Cipher Suite cPanel Config

vlee

Well-Known Member
Oct 13, 2005
373
26
178
Spokane, Washington
cPanel Access Level
Root Administrator
Just being nice today...

I found this following configuration below is very helpful in providing solid security on cPanel servers.

Scored a A+ on SSL Server Test at SSL Server Test (Powered by Qualys SSL Labs)

No weak Cipher Suites at all.

Everyone is welcome use what I have and even improve it and please post your improvements in this thread thank you.

SSL Cipher Suite
Code:
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256
Apache Pre VirtualHost Include
Code:
# Enable SSLUseStapling
SSLUseStapling on
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
SSLHonorCipherOrder On
SSLCompression off

# Enable HTTP Strict Transport Security
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

# Enable HTTP Secure Cookie
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

# DISABLE CACHING
<IfModule mod_headers.c>
    Header set Cache-Control "max-age=0, private, no-cache, no-store, must-revalidate"
    Header set Pragma "no-cache"
    Header set Expires 0
</IfModule>

# Enable GZIP Compression.
<IfModule mod_deflate.c>
    SetOutputFilter DEFLATE
    <IfModule mod_setenvif.c>
        # Netscape 4.x has some problems...
        BrowserMatch ^Mozilla/4 gzip-only-text/html
      
        # Netscape 4.06-4.08 have some more problems
        BrowserMatch ^Mozilla/4\.0[678] no-gzip
      
        # MSIE masquerades as Netscape, but it is fine
        # BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
      
        # NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48
        # the above regex won't work. You can use the following
        # workaround to get the desired effect:
        BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
      
        # Don't compress images
        SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary
    </IfModule>
 
    <IfModule mod_headers.c>
        # Make sure proxies don't deliver the wrong content
        Header append Vary User-Agent env=!dont-vary
    </IfModule>
</IfModule>
I hope this helps you all out.
 

PbG

Well-Known Member
Mar 11, 2003
246
0
166
Thank you again vlee! This suite looks good! I just need to figure out how to change the sort order so all 256 are preferred over 128.



Just being nice today...

I found this following configuration below is very helpful in providing solid security on cPanel servers.

Scored a A+ on SSL Server Test at SSL Server Test (Powered by Qualys SSL Labs)

No weak Cipher Suites at all.

Everyone is welcome use what I have and even improve it and please post your improvements in this thread thank you.

SSL Cipher Suite
Code:
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256


I hope this helps you all out.
 
Last edited: